@tryghost/mg-curated-export

tbc

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

zimoatghostallouiskernalghostchrisraibleerisdsjohnonolankevinansfieldcobbspuraileencgnjlohminimaluminiumsam-lordpauladamdavisbobvaneckjoeegrigghadretjonhickmanerik-ghostsagzyvershwalmike182uklsingernickmoretonrblstr-ghostevanhahn-ghostweylandswartghost-slimertmciescojonatan-ghost9larsons

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): Ghost Foundation publishes via GitHub Actions with Sigstore attestation; stable pattern for this org.	ai	2026/05/01
phantom-deps	phantom-dep:cheerio	AI (phantom-deps): cheerio is declared in dependencies and used in the package; phantom-dep heuristic is a false positive here.	ai	2026/05/01
publish-pattern	dormant-publish	AI (publish-pattern): Ghost Foundation org package with SLSA attestation; dormancy reflects org publish cadence, not takeover.	ai	2026/05/01

Versions (showing 18 of 18)

Version	Deps	Published
0.11.0	4 / 1	2026-05-07
0.10.3	4 / 1	2026-04-28
0.10.1	5 / 1	2026-04-24
0.10.0	5 / 1	2026-04-20
0.7.0	3 / 1	2026-04-06
0.6.0	3 / 1	2026-04-05
0.5.0	3 / 1	2026-04-04
0.4.0	3 / 1	2026-03-31
0.3.44	3 / 1	2026-03-24
0.3.43	3 / 1	2026-03-11
0.3.42	3 / 3	2026-02-23
0.3.41	3 / 3	2026-02-20
0.3.40	3 / 3	2026-01-22
0.3.39	3 / 3	2025-11-26
0.3.38	3 / 3	2025-08-07
0.3.37	3 / 3	2025-08-05
0.3.36	3 / 3	2025-08-02
0.3.35	3 / 3	2025-07-01

v0.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.